Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: FortiOS 5.2: should we wait or should we go?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS 5.2: should we wait or should we go?
Questions to those who had been brave enough to upgrade their units to FortiOS v5.2.0:
How did it handle complex configurations in the course of upgrade (I mean " in-place upgrade" )?
Are there any pitfalls to watch for?
Does v5.2 work stable?
Is there anything to loose in the jump to v5.2?
Are you still there on v5.2 or had to go back to v5.0 for one reason or another?
What are your overall experiences so far?
We have a pure FortiOS v5.0.7 in our environment. It generally works fine but our main headache is new FortiAPs supporting 802.11ac - they are practically unusable on v5.0.7 (we do not want to go with " interim" FortiOS build as it raises a whole bunch of other questions).
Thank you all for any feedback,
VA
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default the SSL profile is " certificate-inspection" . In this mode the FortiGate is basically just reading the dns name from the certificate during the SSL handshake.
Question... Has anyone really had an issues with SSL connections while using " certificate-inspection" ?
I haven' t had an issue and I like the fact that the " certificate-inspection" is on by default. Other firewall companies are doing the same thing.
52 REPLIES 52
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in 5.2 when you edit existing a security policy or create a new one SSL inspection will be enabled and you can' t disable itGhorchem is right. You can specify all sorts of exceptions and exemptions but you cannot completely disable SSL inspection. If a security profile is enabled in a firewall policy - SSL inspection is ON and greyed out - you cannot change its status to OFF.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The same here, not a problem with editing an existing policy.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I upgraded from V5.0 build 4459 on a 60D I found this in the What' s New for FortiOS 5.2.0 guide.
SSL Inspection
There have been several changes to how SSL Inspection is handled on a FortiGate unit.
Automatic Inspection When Security Profiles are Used
If any security profile is used in a security policy, SSL inspection will automatically be enabled, at which point an SSL mode must be selected (see below for more details).
HTTPS Scanning Without Deep Inspection
The following changes have been made in order to allow HTTPS traffic to be scanned without enabling deep inspection:
• There are now two modes for SSL inspection: certificate inspection
(certificate-inspection in the CLI), which only inspects the SSL handshake, and
deep inspection (deep-inspection in the CLI), which enables full deep inspection
of SSL traffic (this was previously the default mode for SSL inspection).
• The CLI command https-url-scan has been removed.
• deep-inspection-options has been renamed ssl-ssh-profile.
• The SSL inspect-all option and the https status option now have three states:
disable, certificate-inspection, and deep-inspection. The status option for
the other protocols now use deep-inspection instead of enabled.
When a new policy or profile group is created, the SSL inspection profile certificate-inspection is automatically added.
SSL/Deep Inspection Exemptions
The options for configuring exemptions to SSL/Deep Inspection is now configured as part of the deep inspection options, rather than FortiGuard web filtering. Exemptions can be added to SSL inspection by going to Policy & Objects > Policy > SSL Inspection or through the CLI.
Certain applications, such as iTunes and Dropbox, require a specific certificate to be used, rather than using the use the system' s certifciate store. Because of this, the default deep inspection profile, deep-inspection, has exemptions configured for these applications by default in FortiOS 5.2.
Syntax
config firewall ssl-ssh-profile
edit <name>
config ssl-exempt
edit <id>
set type {fortiguard-category | address | address6}
set category <id>
set address <string>
end
end
end
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No he' s not 100% correct & he wasn' t 100% clear
fwiw:Here' s a TIP if you don' t want SSL inspection screwing anything up, just create a SSL inspection with nothing enabled
Also take a look at profile-protocol-options also
edit " noinspection1"
config https
set ports 443
set status disable
end
config ftps
set ports 990
set status disable
end
config imaps
set ports 993
set status disable
end
config pop3s
set ports 995
set status disable
end
config smtps
set ports 465
set status disable
end
next
end
and you can re-edit the fwpolicy via the gui or cli and change the policy to one of the other inspection as required of a later date if you need inspection
TESTFW01 (10) # show
config firewall policy
edit 1089
set uuid 7603f088-fce9-51e3-167d-df80cb5c7757
set srcintf " wifi"
set dstintf " virtual-wan-link"
set srcaddr " all"
set dstaddr " all"
set action accept
set schedule " always"
set service " skype_ports"
set utm-status enable
set logtraffic disable
set profile-protocol-options " default"
set ssl-ssh-profile " certificate-inspection"
set traffic-shaper " guarantee-100kbps"
set nat enable
next
end
TESTFW01 (10) # set ssl-ssh-profile
<string> please input string value
certificate-inspection ssl-ssh-profile
deep-inspection ssl-ssh-profile
default ssl-ssh-profile
noinspection ssl-ssh-profile
noinspection1 ssl-ssh-profile
TESTFW01 (10) # set ssl-ssh-profile noinspection1
TESTFW01 (10) # end
and we can change the profile-prot-opts
config firewall profile-protocol-options
edit " nosinpection"
config http
set ports 80
set status disable
set options no-content-summary
unset post-lang
end
config ftp
set ports 21
set status disable
set options no-content-summary splice
end
config imap
set ports 143
set status disable
set options fragmail no-content-summary
end
config mapi
set ports 135
set status disable
set options fragmail no-content-summary
end
config pop3
set ports 110
set status disable
set options fragmail no-content-summary
end
config smtp
set ports 25
set status disable
set options fragmail no-content-summary splice
end
config nntp
set ports 119
set status disable
set options no-content-summary splice
end
config dns
set ports 53
set status disable
end
next
end
and then you apply this to the firewall policies(s)
config firewall policy
edit 1089
set profile-protocol-options " noinspection"
end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you don' t want SSL inspection screwing anything up, just create a SSL inspection with nothing enabledThat' s the whole point! You can' t " click a button" to turn SSL inspection OFF like you do with other UTM features. But you may create a custom SSL profile with everything disabled which effectively turns SSL inspection off. So you both (emnoc and gnorchem) are right. Although you do not need to wait for this single " SSL ON/OFF button" to make Novell Groupwise work on 5.2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Man you are really making this more harder than what it is. Just click the button in the oval screensshot , edit the profile and then disable ssl inspection if not required.
If you enable application control, than the SSL inspection tab is greyed out. Not very hard or too much extra work or difficult or at least I don' t think so.
If you don' t want SSL inspection messing anything up. Define the default with all items disable or create a noispection profile ( like mention above ) and apply the same logic. Once again a minor convenience, but really to much difficult or impacting.
remember you need application controls enable for fortiview to identify Applications
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did the upgrade on bother of my production clusters (200D' s) in both sites. Crazy you say? Perhaps.
I was in the " pick a bug" category of deciding what was most important. The devices have been essentially stable since the upgrade. The notes above on SSL inspection are important and that did bite me early on. One thing that is completely broken is generic IPsec connections from client devices (old Cisco clients, iOS devices). I had a tunnel config for that in place from pre-upgrade and it failed to work, i tried the wizard and that blew up the entire cluster. I tried to create it manually and things still wouldn' t connect.
Wireless (i' m using 221Cs) is significantly more stable than it was under the " feature release" for 5.0.7 so that is good. It has not, however, fixed my main bug with IPSec tunnel performance (i' ll put that in a different thread). Memory usage is riding right at 80%, I expect that to improve a bit with 5.2.x.
So... is it safe? Yes, is it perfect? Nope, same bag of tricks as previous releases.
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default the SSL profile is " certificate-inspection" . In this mode the FortiGate is basically just reading the dns name from the certificate during the SSL handshake.
Question... Has anyone really had an issues with SSL connections while using " certificate-inspection" ?
I haven' t had an issue and I like the fact that the " certificate-inspection" is on by default. Other firewall companies are doing the same thing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was disappointed to see that the ability to make DHCP reservations was removed from the WebUI in 5.2.0. In 5.0.x, it was simple to turn a bunch of leases into reservations, but I just had to do this all through CLI, where it is much easier to make a typo on a MAC address.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can always print the lease list and copy/paste:
exec dhcp lease-list
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,706 -
FortiClient
1,766 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
434 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.